This is a good overview, worth reading. I have some nits.<p>* This isn't a legit criticism of the article, but: it drives me nuts when people suggest the big problem with ECB is that you can see penguins through it. The reason ECB penguins are see-through is that ECB isn't semantically secure. The bigger problem with this trait is that you can usually <i>decrypt ECB altogether without a key!</i>. A really thorough understanding of how ECB breaks down is hugely helpful to understanding the TLS flaws. Enough with the penguins!<p><a href="http://cryptopals.com/sets/2/challenges/12/" rel="nofollow">http://cryptopals.com/sets/2/challenges/12/</a><p>* Timing-driven padding oracles predate Lucky 13; the person who more or less taught me crypto told me about them back in 2009. Again, not a super legit criticism of the article, but worth knowing.<p>* There are other error side channel attacks besides padding oracles, and some of them affect modes other than CBC.<p>* CBC mode is in decline, but the article is kind of incoherent about why, or whether that's a good thing. "CBC is OK for static content" is a recommendation that doesn't make any sense to me at all. CTR and derivatives will eat CBC entirely over the long run: CTR is simpler than CBC (it has minimal format constraints), only requires the encryption transform, and is marginally easier to implement faster.<p>* What's really in decline is generic composition cryptosystems, where encryption and authentication are specified independently. Most of the last 10 years of TLS bugs stem from TLS being specified before the industry understood the central role of authentication in secure cryptosystems. For a good example of this, look at POODLE, which is an attack made possible by an idiosyncratic CBC that uses nondeterministic padding that can't be reliably authenticated.
This is a fantastic writeup covering a large amount of cryptography, both in and outside the context of the web. Reading about all of this summarized in a practical context including all of the real-world nasties like ARP spoofing is both great, and double-great for getting a feel about why utterances like "hm, this <i>should</i> be okay given <i>this</i> circumstance" should always put fear in your heart when talking about security.<p>Also, wow, I'd never seen that link to The Cryptographic Doom principle before, despite trying to elucidate that concept before myself (badly). That's a fantastic bookmark to keep for inclusion in explanations on tickets filed against dubious crypto.<p>Likewise, this link is going in my bookmarks for immediate deployment when I need a litany of padding oracles and timing attacks to explain why indistinguishability is essential to a friend. Thanks, author!